From owner-freebsd-chat Fri Feb 14 21: 5:31 2003 Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7177337B401 for ; Fri, 14 Feb 2003 21:05:29 -0800 (PST) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id D857943F75 for ; Fri, 14 Feb 2003 21:05:28 -0800 (PST) (envelope-from mooneer@translator.cx) Received: from pool0034.cvx31-bradley.dialup.earthlink.net ([209.179.146.34] helo=morpheus) by scaup.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 18juVz-0001mv-00; Fri, 14 Feb 2003 21:05:27 -0800 From: "Mooneer Salem" To: "pura life CR" , Subject: RE: Processes hiding techniques. Date: Fri, 14 Feb 2003 21:05:24 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Processes are represented in the kernel as struct proc. Basically, a modified copy of ps(1) could be installed (assuming the intruder gains root) that would hide the process. It's also possible to load a kernel module that will hide the process. This page might help: http://www.pimmel.com/articles/bsdkern.html Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ -----Original Message----- From: owner-freebsd-chat@FreeBSD.ORG [mailto:owner-freebsd-chat@FreeBSD.ORG]On Behalf Of pura life CR Sent: Friday, February 14, 2003 8:40 PM To: freebsd-chat@freebsd.org Subject: Processes hiding techniques. Hi, I would like to know what are current processes hiding techniques that can be used in FreeBSD for an intruder. I would like to know this for learning how to deal with this situation when I become a FreeBSD admin. For example, an user wants to run a nmap or password cracking or a irc bot, what can he do to hide the process so the admin when perform a ps -ax is not able to look the process. _________________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message